Car thief whisks off Wells data

David Lazarus

Published 4:00 am, Friday, April 16, 2004

A laptop computer containing the names, addresses and Social Security numbers of thousands of Wells Fargo mortgage customers nationwide was stolen in late February when a pair of bank employees traveling in the Midwest stopped at a gas-station convenience store, leaving the keys in the ignition of their unlocked rental car.

As the Wells workers shopped for snacks, a thief made off with the car, a yellow Ford Mustang, around 2 p.m. on Feb. 26, according to police. When the vehicle was recovered five days later, all its contents were gone, including the laptop containing Wells' confidential information.

This is the second time in recent months that a thief has inadvertently made off with confidential Wells Fargo customer data. In November, a computer containing the names, addresses and Social Security numbers of thousands of home-loan clients was stolen from the Concord office of a consultant hired by the San Francisco bank.

Related Stories

Neither theft has resulted to date in customers' privacy being compromised, Hernandez added.

In the latest incident, the bank did not alert customers about its missing data until almost a month after the theft was reported to police. Hernandez said it took this long because Wells needed to determine the scope of information involved and to arrange protective measures for clients.

In a letter dated March 22, Wells tells affected people only that an employee's laptop "was stolen from his vehicle's trunk."

"Confidential loan information was stored on the computer's hard drive," the letter says, without detailing the nature of the data. It specifies only that "no passwords or personal information numbers were included on the files."

Hernandez said the computer contained "credit report data" for thousands of homeowners, including their names, addresses and Social Security numbers. He said affected customers reside primarily in Colorado, Illinois and Indiana, but also include people throughout the country, including hundreds in California.

Wells declined to identify the two employees involved in the Missouri theft or explain why they were in possession of so much customer data on a business trip.

The bank also won't say exactly how many customers were affected by either the November or February thefts, except that in each case the number runs in the thousands.

"We realize this causes a lot of anxiety," Hernandez said. "But at this point, we have no evidence that the data has been misused."

Carbray, the sole investigator at the Edmundson Police Department, described the theft as a "crime of opportunity." He said the thief probably spotted the keys in the Mustang's ignition and decided then and there to jump behind the wheel.

The car was found by police 15 miles away in St. Louis on March 2. "There was nothing left inside," Carbray said, noting that because the thief had the keys, there would have been no difficulty getting into the trunk, where the laptop was located.

Carbray said a suspect was briefly detained last week when some of the stolen property was discovered in a relative's home. However, he said, the person was released when it became clear that he had nothing to do with stealing the car or obtaining the stolen goods.

There are no leads as to the whereabouts of the missing laptop, Carbray said. He observed, though, that the computer requires a password to access what's stored on the hard drive.

"The St. Louis area has been hit pretty hard by car theft recently," Carbray said. "Most guys we're dealing with are idiots. I'm just afraid that they could try to make a quick buck by selling the laptop to someone who knows what he's doing."

Security experts say that passwords can be easily gotten around using simple techniques and software tools.

"Passwords may be a good way to keep out people who don't know about computers," said Nate Lawson, senior security engineer at Cryptography Research, a San Francisco consulting firm. "But that's about it."

A Concord man was arrested by police and Secret Service agents about a month after the November computer theft. Police say the suspect, Edward Krastof, admitted to stealing the computer containing Wells' data but subsequently pleaded not guilty to the crime. He is free on bail pending trial.

After that incident was publicized, the bank issued a memo to employees reminding them that "identity theft affects everyone."

It outlined a series of steps for improved computer security, including always keeping equipment under control and never leaving customer information unattended.

"Customers can experience financial loss, loss of privacy and loss of confidence in Wells Fargo's abilities to protect their personal and account information," the memo says.

It states that violations of the company's security policy could result in employees being fired. Wells' Hernandez declined to say whether the two workers in the Missouri case were disciplined over their stolen laptop.

"It was an unfortunate incident," he said. "We apologize to customers for the events that have taken place."

At the Edmundson Police Department, Carbray said he has only one message for people who travel with confidential data: "Take your keys out of the car."